<?php

class App_Plugin_AccessCheck extends Zend_Controller_Plugin_Abstract {

   private $_acl = null;

   //	public function __construct(Zend_Acl $acl) {
   public function __construct() {
      //$this->_acl = $acl;
   }


   public function preDispatch(Zend_Controller_Request_Abstract $request) {
      $resource = $request->getControllerName();
      $module = $request->getModuleName();
      $action = $request->getActionName();

      if(!$this->_accessValid($request)) {
         //throw new App_Exception_AccessDenied('Access denied');
         $request->setModuleName('default')
                 ->setControllerName('authentication')
                 ->setActionName('login');
      }
   }

   private function _accessValid(Zend_Controller_Request_Abstract $request) {
      $user = $request->getParam('user', null);

      //the identityloader plugin should have added a user to
      //the request and if it doesn't exist something is wrong
      if($user === null) {
         return false;
      }
      $params = $request->getParams();
      $factory = new App_AclFactory();
      $presource = null;
      $groups = $user->getGroups();

      // the module
      // check for admin section and admin user
      $inAdmin = $params['module'] == 'admin';
      if($inAdmin) {
         $isAdmin = false;
         foreach($groups as $group) {
            if($group->name == 'admin') {
               $isAdmin = true;
            }
         }
         if($isAdmin) {
            // grant access for admin to any place
            return true;
         } else {
            // we are in admin  but we don't have access to admin
            return false;
         }
      }

      //  controller
      $presource = Model_Category::findByName($params['controller']);


      try {
         $acl = $factory->createCategoryAcl($presource, $user);
      } catch (Exception $e) {
         $layout = Zend_Controller_Action_HelperBroker::getStaticHelper('Layout');
         $view = $layout->getLayoutInstance()->getView();
         $view->errorMessage = $e->getMessage();
         $view->errorType = 'ACCESSDENIED';
         $request->setModuleName('default')
                 ->setControllerName('authentication')
                 ->setActionName('login');
         return false;
      }

      // then the action
      $hasRole = false;
      $isAllowed = false;
      foreach($user->getGroups() as $group) {
         if($acl->hasRole($group)) {
            $hasRole = true;
         }
         if($acl->isAllowed($group, $presource)) {
            $isAllowed = true;
         }
      }

      if($acl->hasRole($user) && $acl->has($presource) && $acl->isAllowed($user, $presource)) {
         $resource = Model_File::findById($params['action']);
         if($resource && $resource->getId()) {
            $acl = $factory->createFileAcl($resource, $user);
            if($acl->hasRole($user) && $acl->has($resource)) {
               if($acl->isAllowed($user, $resource)) {
                  return true;
               } else {
                  //return false;
               }
            }
         } else {
            return true;
         }
         return true;
      } else {
         return false;
      }

      /*if(isset($params['file'])) {
      $resource = File::findById($params['file']);
      $acl = $factory->createFileAcl($resource, $user);
      } else if(isset($params['category'])) {
      $resource = Category::findById($params['category']);
      $acl = $factory->createCategoryAcl($resource, $user);
      } else {
      //since we only care about access to files/categories,
      //we'll return true if those aren't being accessed
      return true;
      }*/

      /*return
      $acl->hasRole($user) &&
      $acl->has($resource) &&
      $acl->isAllowed($user, $resource);*/
   }
}
